How to use Let's Encrypt with Nginx to obtain a Legitimate and Free SSL Certificate for HTTPS

This post is part of a series. This list contains all of the posts:

Let's Encrypt and Nginx Tutorial

Let's Encrypt is a free provider of legitimate SSL certificates trusted by all browsers. My employer Cisco happens to be a sponsor. It is now fantastically easy and free to set your website up with HTTPS so there is no excuse not to.

Before you can get Let's Encrypt to create your certificate, your DNS needs to be pointing to your IP via an A record.

I've liberally reproduced from the following sources of information for this post: *

Let's Encrypt installation and Certificate Generation

Install the Let's Encrypt software via the following:

sudo yum install epel-release
sudo yum install certbot

Inside of the Nginx default.d directory, add the following file:

sudo vi /etc/nginx/default.d/le-well-known.conf

Add the following contents:

location ~ /.well-known {
    allow all;

Restart nginx

sudo systemctl restart nginx

Now use the Let's Encrypt utility:

sudo certbot certonly -a webroot \
--webroot-path=/usr/share/nginx/html \
-d -d

The bot will ask you for an email and to consent to the terms of service.

This will install a few files that you will use later:

[myuser] sudo ls /etc/letsencrypt/live/
cert.pem  chain.pem  fullchain.pem  privkey.pem

Generate a DH Group

sudo openssl dhparam -out /etc/ssl/certs/dhparam.pem 2048

This will take a long time and then create a file in /etc/ssl/certs/dhparam.pem

Let's Encrypt requires that you renew the certificate every 90 days. Its simple to do this by using the Let's Encrypt utility and setting up an entry in cron.

sudo crontab -e

And add the following two entries

 30 2 * * 1 /usr/bin/certbot renew >> /var/log/le-renew.log
 35 2 * * 1 /usr/bin/systemctl reload nginx

This will trigger the renewal process once a week on Monday.

Nginx SSL Setup

Create a new file for the Nginx configuration:

sudo vi /etc/nginx/conf.d/ssl.conf

At this point you should head over to the Digital Ocean article and copy and paste the Nginx confiruation for the ssl.conf file since there is no need for me to do so here.

After this is ready, we want to redirect all HTTP traffic to HTTPS.

sudo vi /etc/nginx/default.d/ssl-redirect.conf

Add the following content:

return 301 https://$host$request_uri;

Restart nginx

sudo systemctl restart nginx

Verify it works, and then run a Qualys scan on it:

This post is part of a series. This list contains all of the posts:


Add Comment




Are you human? - ten = -2